CD contained personal data for more than a quarter-million patients

Below:

Next story in Security

INDIANAPOLIS — The operator of 12 hospitals in Indiana and Illinois is notifying more than a quarter-million patients that compact discs containing their Social Security numbers and other personal information were lost for three days over the summer.

However, officials said they do not believe any of the 260,000 patients’ information was improperly accessed.

The Sisters of St. Francis Health Services, which operates 10 hospitals in Indiana and two in Illinois, said in the warning letter that an employee of a medical billing contractor copied the data onto several CDs in July and placed them in a new computer bag to work from home.

That employee later decided the bag was too small and exchanged it at a store, accidentally leaving the discs inside, the letter said.

Lisa Decker, a spokeswoman for St. Francis subsidiary Greater Lafayette Health Services, said Monday that the person who later bought the bag three days later immediately returned the discs and officials were confident the data was not accessed.

Officials began contacting patients on Oct. 9. Decker attributed the delay to the prolonged investigation into the incident.

The letter to patients urged them to check their credit reports.

Decker said the hospital system is examining its employee training and its data-handling procedures.